Skip to content

Latest commit

 

History

History
99 lines (67 loc) · 3.62 KB

deep-packet-inspection.md

File metadata and controls

99 lines (67 loc) · 3.62 KB
Raw

Deep packet inspection

Goal: Use DPI on select workloads to efficiently make use of cluster resources and minimize the impact of false positives.

For each deep packet inspection resource (DeepPacketInspection), CalicoCloud creates a live network monitor that inspects the header and payload information of packets that match the Snort community rules. Whenever malicious activities are suspected, an alert is automatically added to the Alerts page in the Calico Manager UI.

Steps

  1. Configure deep packet inspection in your target workload, we will use hipstershop/frontend as example.
kubectl apply -f demo/dpi/sample-dpi-frontend.yaml
  1. Configure resource requirements in IntrusionDetection.

For a data transfer rate of 1GB/sec on workload endpoints being monitored, we recommend a minimum of 1 CPU and 1GB RAM.

kubectl apply -f demo/dpi/resource-dpi.yaml
  1. Verify deep packet inspection is running and the daemonset of tigera-dpi is also running.
kubectl get deeppacketinspections -n hipstershop
kubectl get pods -n tigera-dpi
NAME               READY   STATUS    RESTARTS   AGE
tigera-dpi-66858   1/1     Running   0          3h58m
tigera-dpi-x67sj   1/1     Running   0          3h58m
  1. Trigger a snort alert basing on existing alert rules, we will use rule 57461
SVC_IP=$(kubectl -n hipstershop get svc frontend-external -ojsonpath='{.status.loadBalancer.ingress[0].ip}')

# use below command if you are using `EKS` cluster, as EKS is using hostname instead of ip for loadbalancer
SVC_IP=$(kubectl -n hipstershop get svc frontend-external -ojsonpath='{.status.loadBalancer.ingress[0].hostname}')

For RKE/kubeadm clusters, your frontend-external lb will be in mode, you can either test within cluster, or add external ip or use ingress controller to expose this svc.

#add external IP for your svc 
kubectl edit -n hipstershop svc frontend-external
spec:
  clusterIP: 10.43.111.144
  clusterIPs:
  - 10.43.111.144
  externalIPs:    ## Add this line for your service
  - 34.xxx.xxx.88 ## Add your node public ip which have frontend pod running as endpoint for this value


NAME                TYPE           CLUSTER-IP      EXTERNAL-IP     PORT(S)        AGE
frontend-external   LoadBalancer   10.43.111.144   34.xxx.xxx.88   80:31209/TCP   5h52m

A workaround for DPI alert not able to generate in UI as in policy allow-tigera.guardian-access block dpi alert to ES. We will update this policy with allow tcp in ingress before curl.

#curl frontend service within cluster
kubectl -n dev exec -t netshoot -- sh -c "curl http://frontend.hipstershop/secid_canceltoken.cgi -H 'X-CMD: Test' -H 'X-KEY: Test' -XPOST"
#curl your loadbalancer from outside of cluster
curl http://$SVC_IP:80/secid_canceltoken.cgi -H 'X-CMD: Test' -H 'X-KEY: Test' -XPOST
#curl your external ip with Nodeport from outside of cluster
curl http://34.xxx.xxx.88:31209/secid_canceltoken.cgi -H 'X-CMD: Test' -H 'X-KEY: Test' -XPOST

  1. Confirm the Signature Triggered Alert in manager UI and also in Kibana ee_event Signature Alert

    ee event log

➡️ Compliance reports

↩️ Back to README.md